294 lines
6.4 KiB
C++
294 lines
6.4 KiB
C++
#define KEY "79c86fb12b36dfa33d1a537c9af100b4c7928a9c"
|
||
#include "openwechat.h"
|
||
#include <string>
|
||
#include <wchar.h>
|
||
#include <cstring>
|
||
#include <vector>
|
||
#include <tlhelp32.h>
|
||
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQuerySystemInformation");
|
||
NTQUERYOBJECT NtQueryObject = (NTQUERYOBJECT)GetProcAddress(
|
||
GetModuleHandleA("ntdll.dll"), "NtQueryObject");
|
||
BOOL IsTargetPid(DWORD Pid, std::vector<DWORD> Pids, int num)
|
||
{
|
||
for (auto pid:Pids)
|
||
{
|
||
if (Pid == pid)
|
||
{
|
||
return TRUE;
|
||
}
|
||
}
|
||
return FALSE;
|
||
}
|
||
HANDLE DuplicateHandleEx(DWORD pid, HANDLE h, DWORD flags)
|
||
{
|
||
HANDLE hHandle = NULL;
|
||
|
||
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
|
||
if (hProc)
|
||
{
|
||
if (!DuplicateHandle(hProc,
|
||
(HANDLE)h, GetCurrentProcess(),
|
||
&hHandle, 0, FALSE, /*DUPLICATE_SAME_ACCESS*/flags))
|
||
{
|
||
hHandle = NULL;
|
||
}
|
||
}
|
||
|
||
CloseHandle(hProc);
|
||
return hHandle;
|
||
}
|
||
|
||
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
|
||
USHORT UniqueProcessId;
|
||
USHORT CreatorBackTraceIndex;
|
||
UCHAR ObjectTypeIndex;
|
||
UCHAR HandleAttributes;
|
||
USHORT HandleValue;
|
||
PVOID Object;
|
||
ULONG GrantedAccess;
|
||
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
|
||
typedef struct
|
||
{
|
||
USHORT Length;
|
||
USHORT MaxLen;
|
||
USHORT *Buffer;
|
||
}UNICODE_STRING, *PUNICODE_STRING;
|
||
typedef struct _OBJECT_NAME_INFORMATION {
|
||
UNICODE_STRING Name;
|
||
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
|
||
|
||
typedef struct _SYSTEM_HANDLE_INFORMATION1 {
|
||
ULONG NumberOfHandles;
|
||
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
|
||
} SYSTEM_HANDLE_INFORMATION1, *PSYSTEM_HANDLE_INFORMATION1;
|
||
|
||
DWORD qureyProcessId(std::wstring name, std::vector<DWORD> *pids) {
|
||
DWORD pid;
|
||
PROCESSENTRY32 entry;
|
||
entry.dwSize = sizeof(PROCESSENTRY32);
|
||
|
||
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
|
||
|
||
if (Process32First(snapshot, &entry) == TRUE)
|
||
{
|
||
while (Process32Next(snapshot, &entry) == TRUE)
|
||
{
|
||
if (std::wstring(entry.szExeFile) == name) {
|
||
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
|
||
pid = GetProcessId(hProcess);
|
||
CloseHandle(hProcess);
|
||
pids->emplace_back(pid);
|
||
}
|
||
}
|
||
}
|
||
CloseHandle(snapshot);
|
||
return pid;
|
||
}
|
||
BOOL ElevatePrivileges()
|
||
{
|
||
HANDLE hToken;
|
||
TOKEN_PRIVILEGES tkp;
|
||
tkp.PrivilegeCount = 1;
|
||
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
|
||
return FALSE;
|
||
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);
|
||
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
|
||
{
|
||
return FALSE;
|
||
}
|
||
|
||
return TRUE;
|
||
}
|
||
int PatchWeChat()
|
||
{
|
||
DWORD dwSize = 0;
|
||
POBJECT_NAME_INFORMATION pNameInfo;
|
||
POBJECT_NAME_INFORMATION pNameType;
|
||
PVOID pbuffer = NULL;
|
||
NTSTATUS Status;
|
||
int nIndex = 0;
|
||
DWORD dwFlags = 0;
|
||
char szType[128] = { 0 };
|
||
char szName[512] = { 0 };
|
||
PSYSTEM_HANDLE_INFORMATION1 pHandleInfo = NULL;
|
||
int ret = -1;
|
||
|
||
ElevatePrivileges();
|
||
std::vector<DWORD> pids;
|
||
DWORD Num = qureyProcessId(L"WeChat.exe", &pids);
|
||
if (Num == 0)
|
||
{
|
||
return ret;
|
||
}
|
||
|
||
if (!ZwQuerySystemInformation)
|
||
{
|
||
goto Exit0;
|
||
}
|
||
|
||
pbuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
|
||
|
||
if (!pbuffer)
|
||
{
|
||
goto Exit0;
|
||
}
|
||
|
||
Status = ZwQuerySystemInformation(SystemHandleInformation, pbuffer, 0x1000, &dwSize);
|
||
|
||
if (Status<0)
|
||
{
|
||
if ((LONG)0xC0000004L != Status)
|
||
{
|
||
goto Exit0;
|
||
}
|
||
else
|
||
{
|
||
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ҿ<EFBFBD><D2BF>Ա<EFBFBD>֤<EFBFBD><D6A4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȷ<EFBFBD><C8B7>ʹ<EFBFBD><CAB9>ѭ<EFBFBD><D1AD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ժ<EFBFBD>
|
||
if (NULL != pbuffer)
|
||
{
|
||
VirtualFree(pbuffer, 0, MEM_RELEASE);
|
||
}
|
||
|
||
if (dwSize * 2 > 0x4000000) // MAXSIZE
|
||
{
|
||
goto Exit0;
|
||
}
|
||
|
||
pbuffer = VirtualAlloc(NULL, dwSize * 2, MEM_COMMIT, PAGE_READWRITE);
|
||
|
||
if (!pbuffer)
|
||
{
|
||
goto Exit0;
|
||
}
|
||
|
||
Status = ZwQuerySystemInformation(SystemHandleInformation, pbuffer, dwSize * 2, NULL);
|
||
|
||
if (Status<0)
|
||
{
|
||
goto Exit0;
|
||
}
|
||
}
|
||
}
|
||
|
||
pHandleInfo = (PSYSTEM_HANDLE_INFORMATION1)pbuffer;
|
||
|
||
for (nIndex = 0; nIndex < pHandleInfo->NumberOfHandles; nIndex++)
|
||
{
|
||
if (IsTargetPid(pHandleInfo->Handles[nIndex].UniqueProcessId, pids, Num))
|
||
{
|
||
//
|
||
HANDLE hHandle = DuplicateHandleEx(pHandleInfo->Handles[nIndex].UniqueProcessId,
|
||
(HANDLE)pHandleInfo->Handles[nIndex].HandleValue,
|
||
DUPLICATE_SAME_ACCESS
|
||
);
|
||
if (hHandle == NULL) continue;
|
||
|
||
Status = NtQueryObject(hHandle, ObjectNameInformation, szName, 512, &dwFlags);
|
||
|
||
if (Status<0)
|
||
{
|
||
CloseHandle(hHandle);
|
||
continue;
|
||
}
|
||
|
||
Status = NtQueryObject(hHandle, ObjectTypeInformation, szType, 128, &dwFlags);
|
||
|
||
if (Status<0)
|
||
{
|
||
CloseHandle(hHandle);
|
||
continue;
|
||
}
|
||
|
||
pNameInfo = (POBJECT_NAME_INFORMATION)szName;
|
||
pNameType = (POBJECT_NAME_INFORMATION)szType;
|
||
|
||
WCHAR TypName[1024] = { 0 };
|
||
WCHAR Name[1024] = { 0 };
|
||
|
||
wcsncpy_s(TypName, (WCHAR*)pNameType->Name.Buffer, pNameType->Name.Length / 2);
|
||
wcsncpy_s(Name, (WCHAR*)pNameInfo->Name.Buffer, pNameInfo->Name.Length / 2);
|
||
|
||
// ƥ<><C6A5><EFBFBD>Ƿ<EFBFBD>Ϊ<EFBFBD><CEAA>Ҫ<EFBFBD>رյľ<D5B5><C4BE><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
||
if (0 == wcscmp(TypName, L"Mutant"))
|
||
{
|
||
//WeChat_aj5r8jpxt_Instance_Identity_Mutex_Name
|
||
//if (wcsstr(Name, L"_WeChat_App_Instance_Identity_Mutex_Name"))
|
||
if (wcsstr(Name, L"_WeChat_") &&
|
||
wcsstr(Name, L"_Instance_Identity_Mutex_Name"))
|
||
{
|
||
CloseHandle(hHandle);
|
||
|
||
hHandle = DuplicateHandleEx(pHandleInfo->Handles[nIndex].UniqueProcessId,
|
||
(HANDLE)pHandleInfo->Handles[nIndex].HandleValue,
|
||
DUPLICATE_CLOSE_SOURCE
|
||
);
|
||
|
||
if (hHandle)
|
||
{
|
||
ret = ERROR_SUCCESS;
|
||
CloseHandle(hHandle);
|
||
}
|
||
else
|
||
{
|
||
ret = GetLastError();
|
||
}
|
||
|
||
//goto Exit0;
|
||
}
|
||
}
|
||
|
||
CloseHandle(hHandle);
|
||
}
|
||
|
||
}
|
||
|
||
Exit0:
|
||
if (NULL != pbuffer)
|
||
{
|
||
VirtualFree(pbuffer, 0, MEM_RELEASE);
|
||
}
|
||
|
||
return ret;
|
||
}
|
||
int WINAPI WinMain(
|
||
HINSTANCE hInstance,
|
||
HINSTANCE hPrevInstance,
|
||
PSTR nCmdLine,
|
||
int iCmdShow
|
||
) {
|
||
if (strcmp(nCmdLine, KEY) != 0){
|
||
return 0;
|
||
}
|
||
else {
|
||
int ret = 1;
|
||
PatchWeChat();
|
||
WCHAR Path[1024];
|
||
HKEY hKey = NULL;
|
||
if (ERROR_SUCCESS != RegOpenKey(HKEY_CURRENT_USER, L"Software\\Tencent\\WeChat", &hKey))
|
||
{
|
||
|
||
return ret;
|
||
}
|
||
|
||
DWORD Type = REG_SZ;
|
||
// WCHAR Path[MAX_PATH] = { 0 };
|
||
DWORD cbData = MAX_PATH * sizeof(WCHAR);
|
||
if (ERROR_SUCCESS != RegQueryValueEx(hKey, L"InstallPath", 0, &Type, (LPBYTE)Path, &cbData))
|
||
{
|
||
ret = GetLastError();
|
||
if (hKey)
|
||
{
|
||
RegCloseKey(hKey);
|
||
}
|
||
return ret;
|
||
}
|
||
WCHAR exe[1024];
|
||
wcscpy_s(exe, Path);
|
||
wcscat_s(exe, L"\\WeChat.exe");
|
||
|
||
ShellExecute(GetDesktopWindow(), L"open", exe, L"", Path, SW_SHOW);
|
||
|
||
}
|
||
return 0;
|
||
} |